Hi folks -
first, a simple, direct question. I'm trying to use the meta backend,
and exclude part of the
back-end directory (which is AD, if that matters).
I tried the following config:
--------------------------
include
/usr/local/pkg/openldap-2.4.39/etc/openldap/schema/core.schema
include
/usr/local/pkg/openldap-2.4.39/etc/openldap/schema/cosine.schema
include
/usr/local/pkg/openldap-2.4.39/etc/openldap/schema/inetorgperson.schema
include
/usr/local/pkg/openldap-2.4.39/etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd-filter.pid
argsfile /var/run/openldap/slapd-filter.args
loglevel any
access to *
by * read
database meta
suffix "dc=adsroot,dc=itd,dc=umich,dc=edu"
uri
"ldap://adsroot.itd.umich.edu/dc=adsroot,dc=itd,dc=umich,dc=edu"
rootdn "cn=Manager,dc=adsroot,dc=itd,dc=umich,dc=edu"
#subtree-exclude
"ou=ICPSR,ou=Organizations,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu"
#subtree-exclude
"ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu"
subtree-exclude
"dn.subtree:ou=ICPSR,ou=Organizations,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu"
subtree-exclude
"dn.subtree:ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu"
--------------------------
As you can see i tried two syntaxes for subtree-exclude. with either
one, a search for "cn=danno" returns
dn:
cn=danno,ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu
What am I doing wrong? Or do I misunderstand what subtree-exclude is
supposed to be doing?
openldap 2.4.39 on centos 6, x64.
The larger question -
As I posted last week I am trying to put a proxy in front of Active
Directory. AD has most of the required
attributes for my application, but I need to fill in a couple that are
missing. Translucent proxy makes sense,
combined with the collect overlay. Unfortunately, slapd crashes when it
encounters a DN from AD that has
one of the collect attributes (its 7797). Not just a lookup failure, a
hard crash. :(
So, it next occurred to me to use another instance of slapd with rwm as a
"filter" to remove the attributes I am
trying to use with collect.
It's complicated further by the fact that some subtrees have different
attributes that I want to filter, or not.
I tried soemthing like this:
--------------------------
database ldap
uri ldap://foo
suffix ou=foo,dc=example,dc=edu
[ rwm entries to leave only the attributes i want for ou=foo ]
database ldap
uri ldap://foo
suffix ou=bar,dc=example,dc=edu
[ rwm entries to leave only the attributes i want for ou=bar ]
database meta
uri ldap://foo
suffix dc=example,dc=edu
subtree-exclude ou=foo
subtree-exclude ou=bar
--------------------------
I had to add the third database entry, with the root dn, before auth
would work.
Presuming that i can actually make meta work with the subtree-exclude
like I want, should a config like this work?
As it is, everything is being returned from the third database entry,
with the suffix at the root DN.
So, I'm not sure if this idea of combining multiple ldap databases would
work.
thanks for any input!
danno
--
Dan Pritts
ICPSR Computing
& Network Services
University of Michigan
+1 (734)615-7362